The effectiveness of risk management can help an organization succeed. It’s about the right strategies and objectives that deliver value, considering what might happen.
If an organization seeks to perform at world-class levels, it needs to have highly effective processes and practices for managing what might happen – risk.
They should be assessed and the results shared with the board by several:
- The CEO, perhaps delegated to the COO or CFO
- The chief risk officer (if there is one)
- The head of internal audit
My good friend, Alexei Sidorenko of the Risk Academy recently shared a video on the topic.
He makes some good points, suggesting that assessors consider:
- Organizational performance
- Evidence that risk was considered in key decisions
- The culture of the organization
I think there is more that can and should be done.
I also disagree with the idea that organizational success has a clear correlation with the effectiveness of risk management. Poorly run companies can be lucky and well-run ones unlucky.
In addition to addressing the topic in World-Class Risk Management, I covered the topic in a 2017 IIA post: How Should You Audit and Assess Risk Management?
Risk management is about:
Setting the right strategies and objectives to deliver value, considering what might happen (risk).
Understanding how the achievement of objectives may be affected by events and situations as management and staff execute those strategies.
Acting to modify the likelihood and effect of those events and situations, recognizing that each event or situation can have multiple consequences — some favorable and some adverse.
Ensuring that decisions are informed and intelligent, whether in setting or modifying strategies, or in executing them every day through management decisions across the extended enterprise, such that the right levels of the right risks are taken.
Monitoring and reporting so that board members and senior managers understand not only the levels of individual sources of risk, but whether they are likely (or not) to achieve each of their objectives.
I also said:
You could audit and assess risk management in a number of ways. For example:
- An audit of compliance with corporate risk policies and procedures.
- Assessing risk management maturity, using one of the available risk management maturity models (I have a few in World-Class Risk Management).
- Assessing whether the principles for effective risk management are achieved (drawing on those in ISO31000:2009 or in COSO ERM 2017 — see here for a discussion).
I personally like a risk and objectives-based approach to pretty much any audit. Here the objective is to manage risk at desired levels. There are multiple risks to achieving that objective (again, described in detail in my book), such as failures to:
- Include the appropriate people in decisions, where risk is taken.
- Obtain reliable, current, and timely information on which to base decisions.
- Address cognitive bias, which can affect both an individual and a group’s assessment of risk.
- Ensure the desired attitude towards risk: behaviors that are influenced by the culture of the organization, a location, function, or business unit.
- Obtain buy-in from all key individuals at all levels of management.
This is what I recommend for anybody seeking to audit and assess risk management (or the management or risk).
- Understand risk management and its principles. The ISO31000:2009 and the 2017 COSO ERM Framework are just two possible sources, but I would also recommend my book and that of John Fraser, Implementing Enterprise Risk Management: Case Studies and Best Practices.
- Understand what the organization needs from risk management. Start with understanding how and where decisions are made and risks taken. In fact, understanding who makes decisions and therefore takes risk is critical to understanding how risk is managed. Is it centralized or decentralized? Do individuals have a lot of autonomy and decision-making or is consensus required? Is risk dynamic, volatile, or relatively stable?
- What are the risks to effective risk management? What could go wrong and what needs to go right for there to be reasonable assurance that the right levels of the right risks are taken? (“Right” means what is desired and possibly approved by the executive management team and the board.)
- What controls are in place to address these risks?
- Is the design adequate? If the controls are operating consistently as designed, is there reasonable assurance that risk will be managed at desired levels?
- Perform controls testing to obtain assurance that they are operating effectively as designed.
- Assess the results of your work. Where is risk management on the maturity curve? What can and should be done to improve it at an appropriate cost? Recognize that one of the costs may be slowing down decision-making and losing operational opportunities.
- Communicate the results and your insights.
Let me add to that now.
Why not have a series of discussions with decision-makers? Include all the top executives, but also include a good number at varying levels of management across the organization.
Consider questions like these that ask the opinions of the executives, the ones running the organization:
- Do you (the executive) believe that risk management (which could mean a function or a set of policies and procedures) helps you be successful? Does it increase the likelihood of achieving your and the organization’s objectives?
- Does it (risk management) help you make better decisions?
- Does it meet the needs of the organization?
- Does everybody use/practice risk management as well as they should?
- Where could improvements be made?
- Do top management and the board receive the information they need, when they need it?
- Do the filings with the regulators sufficiently explain how the organization addresses risk?
- Should a greater or lesser investment be made in risk management?
- Does risk management give you a competitive advantage?
- What would you change?
I welcome your thoughts.
- Was Silicon Valley Bank a failure of risk management? - March 28, 2023
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023